Key storage and retrieval in a breakout component at the edge of a mobile data network

ABSTRACT

Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. These services may require the use of keys. Keys are stored and retrieved from a non-volatile key storage in a way that assures subsystems that need the keys have access to the keys. The keys retrieved from the non-volatile key storage are stored in a shared memory in the requesting subsystem, which allows any applications that requires access to the keys to directly access the keys in the shared memory.

BACKGROUND

1. Technical Field

This disclosure generally relates to mobile data systems, and morespecifically relates to key storage and retrieval in a breakoutcomponent at the edge of a mobile data network.

2. Background Art

Mobile phones have evolved into “smart phones” that allow a user notonly to make a call, but also to access data, such as e-mails, theinternet, etc. Mobile phone networks have evolved as well to provide thedata services that new mobile devices require. For example, 3G networkscover most of the United States, and allow users high-speed wirelessdata access on their mobile devices. In addition, phones are not theonly devices that can access mobile data networks. Many mobile phonecompanies provide equipment and services that allow a subscriber to pluga mobile access card into a Universal Serial Bus (USB) port on a laptopcomputer, and provide wireless internet to the laptop computer throughthe mobile data network. In addition, some newer mobile phones allow themobile phone to function as a wireless hotspot, which supportsconnecting several laptop computers or other wireless devices to themobile phone, which in turn provides data services via the mobile datanetwork. As time marches on, the amount of data served on mobile datanetworks will continue to rise exponentially.

Mobile data networks include very expensive hardware and software, soupgrading the capability of existing networks is not an easy thing todo. It is not economically feasible for a mobile network provider tosimply replace all older equipment with new equipment due to the expenseof replacing the equipment. For example, the next generation wirelessnetwork in the United States is the 4G network. Many mobile data networkproviders are still struggling to get their entire system upgraded toprovide 3G data services. Immediately upgrading to 4G equipment is notan economically viable option for most mobile data network providers. Inmany locations, portions of the mobile data network are connectedtogether by point to point microwave links. These microwave links havelimited bandwidth. To significantly boost the throughput of these linksrequires the microwave links to be replaced with fiber optic cable butthis option is very costly.

Some services in a mobile data network require secure keys. There aredifferent ways for storing and accessing keys. For example, in oneparticular implementation in the prior art, keys are stored in anon-volatile storage, and are read from the non-volatile storage whenneeded. In a mobile data network that includes many different systemsand subsystems, free and easy access to keys is not desirable becausesuch a system can be easily hacked. Instead, a more secure way to storeand handle keys is needed.

BRIEF SUMMARY

Mobile network services are performed in a mobile data network in a waythat is transparent to most of the existing equipment in the mobile datanetwork. The mobile data network includes a radio access network and acore network. A breakout component in the radio access network breaksout data coming from a basestation, and performs one or more mobilenetwork services at the edge of the mobile data network based on thebroken out data. These services may require the use of keys. Keys arestored and retrieved from a non-volatile key storage in a way thatassures subsystems that need the keys have access to the keys. The keysretrieved from the non-volatile key storage are stored in a sharedmemory in the requesting subsystem, which allows any applications thatrequires access to the keys to directly access the keys in the sharedmemory.

The foregoing and other features and advantages will be apparent fromthe following more particular description, as illustrated in theaccompanying drawings.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING(S)

The disclosure will be described in conjunction with the appendeddrawings, where like designations denote like elements, and:

FIG. 1 is a block diagram of a prior art mobile data network;

FIG. 2 is a block diagram of a mobile data network that includes first,second and third service mechanisms that all communicate via an overlaynetwork;

FIG. 3 is a block diagram of one possible implementation for parts ofthe mobile data network shown in FIG. 2 to illustrate the overlaynetwork;

FIG. 4 is a block diagram of the MIOP@NodeB shown in FIG. 2, whichincludes a first service mechanism;

FIG. 5 is a block diagram of the MIOP@RNC shown in FIG. 2, whichincludes a second service mechanism;

FIG. 6 is a block diagram of the MIOP@Core shown in FIG. 2, whichincludes a third service mechanism;

FIG. 7 is a block diagram of a management mechanism coupled to theoverlay network that manages the functions of MIOP@NodeB, MIOP@RNC, andMIOP@Core;

FIG. 8 is a flow diagram of a method performed by MIOP@NodeB shown inFIGS. 2 and 4;

FIG. 9 is a block diagram showing breakout criteria MIOP@RNC may use inmaking a decision of whether or not to break out data;

FIG. 10 is a flow diagram of a method for the MIOP@NodeB and MIOP@RNC todetermine when to break out data;

FIG. 11 is a flow diagram of a method for the first service mechanism inMIOP@NodeB to selectively break out data when break out for a specifiedsubscriber session has been authorized;

FIG. 12 is a flow diagram of a method for determining when to run MIOPservices for a specified subscriber session;

FIGS. 13-15 are flow diagrams that each show communications between MIOPcomponents when MIOP services are running; and

FIG. 16 is a flow diagram of a method for managing and adjusting theMIOP components;

FIG. 17 is a block diagram of one specific implementation for MIOP@NodeBand MIOP@RNC;

FIGS. 18 and 19 show a flow diagram of a first method for the specificimplementation shown in FIG. 17;

FIG. 20 is a flow diagram of a second method for the specificimplementation shown in FIG. 17;

FIG. 21 is a flow diagram of a third method for the specificimplementation shown in FIG. 17;

FIG. 22 is a flow diagram of a method for the specific implementationshown in FIG. 17 to process a data request that results in a cache missat MIOP@NodeB;

FIG. 23 is a flow diagram of a method for the specific implementationshown in FIG. 17 to process a data request that results in a cache hitat MIOP@NodeB;

FIG. 24 is a block diagram of one specific hardware architecture forMIOP@NodeB;

FIG. 25 is a block diagram of the system controller shown in FIG. 24;

FIG. 26 is a block diagram of the service processor shown in FIG. 24;

FIG. 27 is a block diagram of the security subsystem shown in FIG. 24;

FIG. 28 is a block diagram of the telco breakout system shown in FIG.24;

FIG. 29 is a block diagram of the edge application mechanism 2530 shownin FIG. 25 that performs multiple services at the edge of a mobile datanetwork based on data broken-out at the edge of the mobile data network;

FIG. 30 is a flow diagram of a method for storing keys in the MIOP@NodeBshown in FIG. 24;

FIG. 31 is a diagram of a command for writing a key to the securitysubsystem;

FIG. 32 is a flow diagram of a method for a subsystem to retrieve a keyfrom the security subsystem;

FIG. 33 is a diagram of a command for reading a key from the securitysubsystem; and

FIG. 34 is a flow diagram of a method for allowing an application toaccess a key in a subsystem.

DETAILED DESCRIPTION

The claims and disclosure herein provide mechanisms and methods forperforming mobile network services in a mobile data network within theexisting infrastructure of the mobile data network. These services mayrequire access to keys, which are stored in a non-volatile key storagein a security subsystem. They keys may be read by a subsystem from thesecurity subsystem, and are then written to a shared memory on thesubsystem. Applications that require access to a key may then access thekey in the shared memory on the subsystem.

Referring to FIG. 1, a prior art mobile data network 100 is shown.Mobile data network 100 is representative of known 3G networks. Themobile data network 100 preferably includes a radio access network(RAN), a core network, and an external network, as shown in FIG. 1. Theradio access network includes the tower 120, basestation 122 with itscorresponding NodeB 130, and a radio interface on a radio networkcontroller (RNC) 140. The core network includes a network interface onthe radio network controller 140, the serving node 150, gateway node 160and operator service network 170 (as part of the mobile data network).The external network includes any suitable network. One suitable examplefor an external network is the internet 180, as shown in the specificexample in FIG. 1.

In mobile data network 100, user equipment 110 communicates via radiowaves to a tower 120. User equipment 110 may include any device capableof connecting to a mobile data network, including a mobile phone, atablet computer, a mobile access card coupled to a laptop computer, etc.The tower 120 communicates via network connection to a basestation 122.Each basestation 122 includes a NodeB 130, which communicates with thetower 120 and the radio network controller 140. Note there is a fan-outthat is not represented in FIG. 1. Typically there are tens of thousandsof towers 120. Each tower 120 typically has a corresponding base station122 with a NodeB 130 that communicates with the tower. However, networkcommunications with the tens of thousands of base stations 130 areperformed by hundreds of radio network controllers 140. Thus, each radionetwork controller 140 can service many NodeBs 130 in basestations 122.There may also be other items in the network between the basestation 130and the radio network controller 140 that are not shown in FIG. 1, suchas concentrators (points of concentration) or RAN aggregators thatsupport communications with many basestations.

The radio network controller 140 communicates with the serving node 150.In a typical 3G network, the serving node 150 is an SGSN, which is shortfor Service GPRS Support Node, where GPRS stands for general packetradio service. The serving node 150 mediates access to network resourceson behalf of mobile subscribers and implements the packet schedulingpolicy between different classes of quality of service. It is alsoresponsible for establishing the Packet Data Protocol (PDP) context withthe gateway node 160 for a given subscriber session. The serving node150 is responsible for the delivery of data packets from and to thebasestations within its geographical service area. The tasks of theserving node 150 include packet routing and transfer, mobilitymanagement (attach/detach and location management), logical linkmanagement, and authentication and charging functions. The serving node150 stores location information and user profiles of all subscribersregistered with the serving node 150. Functions the serving node 150typically performs include GPRS tunneling protocol (GTP) tunneling ofpackets, performing mobility management as user equipment moves from onebasestation to the next, and billing user data.

In a typical 3G network, the gateway node 160 is a GGSN, which is shortfor gateway GPRS support node. The gateway node 160 is responsible forthe interworking between the core network and external networks. Fromthe viewpoint of the external networks 180, gateway node 160 is a routerto a sub-network, because the gateway node 160 “hides” the core networkinfrastructure from the external network. When the gateway node 160receives data from an external network (such as internet 180) addressedto a specific subscriber, it forwards the data to the serving node 150serving the subscriber. For inactive subscribers paging is initiated.The gateway node 160 also handles routing packets originated from theuser equipment 110 to the appropriate external network. As anchor pointthe gateway node 160 supports the mobility of the user equipment 110. Inessence, the gateway node 160 maintains routing necessary to tunnel thenetwork packets to the serving node 150 that services a particular userequipment 110.

The gateway node 160 converts the packets coming from the serving node150 into the appropriate packet data protocol (PDP) format (e.g., IP orX.25) and sends them out on the corresponding external network. In theother direction, PDP addresses of incoming data packets from theexternal network 180 are converted to the address of the subscriber'suser equipment 110. The readdressed packets are sent to the responsibleserving node 150. For this purpose, the gateway node 160 stores thecurrent serving node address of the subscriber and his or her profile.The gateway node 160 is responsible for IP address assignment and is thedefault router for the subscriber's user equipment 110. The gateway node160 also performs authentication, charging and subscriber policyfunctions. One example of a subscriber policy function is “fair use”bandwidth limiting and blocking of particular traffic types such as peerto peer traffic. Another example of a subscriber policy function isdegradation to a 2G service level for a prepaid subscriber when theprepaid balance is zero.

A next hop router located in the operator service network (OSN) 170receives messages from the gateway node 160, and routes the trafficeither to the operator service network 170 or via an internet serviceprovider (ISP) towards the internet 180. The operator service network170 typically includes business logic that determines how the subscribercan use the mobile data network 100. The business logic that providesservices to subscribers may be referred to as a “walled garden”, whichrefers to a closed or exclusive set of services provided forsubscribers, including a carrier's control over applications, contentand media on user equipment.

Devices using mobile data networks often need to access an externalnetwork, such as the internet 180. As shown in FIG. 1, when a subscriberenters a request for data from the internet, that request is passed fromthe user equipment 110 to tower 120, to NodeB 130 in basestation 122, toradio network controller 140, to serving node 150, to gateway node 160,to operator service network 170, and to internet 180. When the requesteddata is delivered, the data traverses the entire network from theinternet 180 to the user equipment 110. The capabilities of known mobiledata networks 100 are taxed by the ever-increasing volume of data beingexchanged between user equipment 110 and the internet 180 because alldata between the two have to traverse the entire network.

Some efforts have been made to offload internet traffic to reduce thebackhaul on the mobile data network. For example, some mobile datanetworks include a node called a HomeNodeB that is part of the radioaccess network. Many homes have access to high-speed Internet, such asDirect Subscriber Line (DSL), cable television, wireless, etc. Forexample, in a home with a DSL connection, the HomeNodeB takes advantageof the DSL connection by routing Internet traffic to and from the userequipment directly to the DSL connection, instead of routing theInternet traffic through the mobile data network. While this may be aneffective way to offload Internet traffic to reduce backhaul, theHomeNodeB architecture makes it difficult to provide many mobile networkservices such as lawful interception, mobility, and chargingconsistently with the 3G or 4G mobile data network.

Referring to FIG. 2, a mobile data network 200 includes mechanisms thatprovide various services for the mobile data network in a way that istransparent to most of the existing equipment in the mobile datanetwork. FIG. 2 shows user equipment 110, tower 120, NodeB 130, radionetwork controller 140, serving node 150, gateway node 160, operatorservice node 170, and internet 180, the same as shown in FIG. 1. Theadditions to the mobile data network 200 when compared with the priorart mobile data network 100 in FIG. 1 include the addition of threecomponents that may provide mobile network services in the mobile datanetwork, along with a network management mechanism to manage the threecomponents. The mobile network services are performed by what is calledherein a Mobile Internet Optimization Platform (MIOP), and the mobilenetwork services performed by the Mobile Internet Optimization Platformare referred to herein as MIOP services. The three MIOP components thatprovide these mobile network services are shown in FIG. 2 as MIOP@NodeB210, MIOP@RNC 220 and MIOP@Core 230. A network management system shownas MIOP@NMS 240 manages the overall solution by: 1) managing thefunction of the three MIOP components 210, 220 and 230; 2) determiningwhich MIOP@NodeBs in the system aggregate to which MIOP@RNCs via theoverlay network for performance, fault and configuration management; and3) monitoring performance of the MIOP@NodeBs to dynamically change andconfigure the mobile network services. The MIOP@NodeB 210, MIOP@RNC 220,MIOP@Core 230, MIOP@NMS 240, and the overlay network 250, and any subsetof these, and are referred to herein as MIOP components.

The mobile network services provided by MIOP@NodeB 210, MIOP@RNC 220,and MIOP@Core 230 include any suitable services on the mobile datanetwork, such as data optimizations, RAN-aware services,subscriber-aware services, edge-based application serving, edge-basedanalytics, etc. All mobile network services performed by all ofMIOP@NodeB 210, MIOP@RNC 220, and MIOP@Core 230 are included in the termMIOP services as used herein. In addition to the services being offer inthe MIOP components MIOP@NodeB 210, MIOP@RNC 220, and MIOP@Core 230, thevarious MIOP services could also be provided in a cloud based manner.

MIOP@NodeB 210 includes a first service mechanism and is referred to asthe “edge” based portion of the MIOP solution. MIOP@NodeB 210 resides inthe radio access network and has the ability to intercept all traffic toand from the NodeB 130. MIOP@NodeB 210 preferably resides in the basestation 222 shown by the dotted box in FIG. 2. Thus, all data to andfrom the NodeB 130 to and from the radio network controller 140 isrouted through MIOP@NodeB 210. MIOP@NodeB performs what is referred toherein as breakout of data on the intercepted data stream. MIOP@NodeBmonitors the signaling traffic between NodeB and RNC and on connectionsetup intercepts in particular the setup of the transport layer(allocation of the UDP Port, IP address or AAL2 channel). For registeredsessions the breakout mechanism 410 will be configured in a way that alltraffic belonging to this UDP Port, IP address to AAL2 channel will beforwarded to an data offload function. MIOP@NodeB 210 thus performsbreakout of data by defining a previously-existing path in the radioaccess network for non-broken out data, by defining a new second datapath that did not previously exist in the radio access network forbroken out data, identifying data received from a corresponding NodeB asdata to be broken out, sending the data to be broken out on the seconddata path, and forwarding other data that is not broken out on the firstdata path. The signaling received by MIOP@NodeB 210 from NodeB 130 isforwarded to RNC 140 on the existing network connection to RNC 140, eventhough the data traffic is broken out. Thus, RNC 140 sees the signalingtraffic and knows the subscriber session is active, but does not see theuser data that is broken out by MIOP@NodeB 210. MIOP@NodeB thus performstwo distinct functions depending on the monitored data packets: 1)forward the data packets to RNC 140 for signaling traffic and user datathat is not broken out (including voice calls); and 2) re-route the datapackets for user data that is broken out.

Once MIOP@NodeB 210 breaks out user data it can perform any suitableservice based on the traffic type of the broken out data. Because theservices performed by MIOP@NodeB 210 are performed in the radio accessnetwork (e.g., at the basestation 222), the MIOP@NodeB 210 can servicethe user equipment 110 much more quickly than can the radio networkcontroller 140. In addition, by having a MIOP@NodeB 210 that isdedicated to a particular NodeB 130, one MIOP@NodeB only needs toservice those subscribers that are currently connected via a singleNodeB. The radio network controller, in contrast, which typicallyservices dozens or even hundreds of basestations, must service all thesubscribers accessing all basestations it controls from a remotelocation. As a result, MIOP@NodeB is in a much better position toprovide services that will improve the quality of service and experiencefor subscribers than is the radio network controller.

Breaking out data in the radio access network by MIOP@NodeB 210 allowsfor many different types of services to be performed in the radio accessnetwork. These services may include optimizations that are similar tooptimizations provided by known industry solutions between radio networkcontrollers and the serving node. However, moving these optimizations tothe edge of the mobile data network will not only greatly improve thequality of service for subscribers, but will also provide a foundationfor applying new types of services at the edge of the mobile datanetwork, such as terminating machine-to-machine (MTM) traffic at theedge (e.g., in the basestation), hosting applications at the edge, andperforming analytics at the edge.

MIOP@RNC 220 includes a second service mechanism in mobile data network200. MIOP@RNC 220 monitors all communication between the radio networkcontroller 140 and serving node 150. The monitored communications areall communications to and from the radio network controller and the restof the core network. MIOP@RNC 220 may provide one or more services forthe mobile data network. MIOP@RNC 220 preferably makes the decision ofwhether or not to allow breakout of data. If MIOP@RNC 220 decides tobreakout data for a given subscriber session, it may send a message toMIOP@NodeB 210 authorizing breakout by MIOP@NodeB 210, or may decide tobreakout the data at MIOP@RNC 220, depending on the configured breakoutdecision criteria and selected radio channel. Because messages to andfrom the core network establishing the PDP context for a givensubscriber session are monitored by MIOP@RNC 220, the decision ofwhether or not to breakout data resides in the MIOP@RNC 220.

MIOP@Core 230 includes a third service mechanism in the mobile datanetwork 200. MIOP@Core 230 may include all the same services as MIOP@RNC220, or any suitable subset of those services. If the decision is madenot to provide services at MIOP@NodeB 210 or MIOP@RNC 220, these sameservices plus more sophisticated services can be performed at MIOP@Core230. Thus, mobile data network 200 provides flexibility by allowing adecision to be made of where to perform which services. BecauseMIOP@NodeB 210, MIOP@RNC 220 and MIOP@Core 230 preferably include someof the same services, the services between components may interact(e.g., MIOP@NodeB and MIOP@Core may interact to optimize TCP trafficbetween them), or the services may be distributed across the mobile datanetwork (e.g., MIOP@NodeB performs breakout and provides services forhigh-speed traffic, MIOP@RNC performs breakout and provides services forlow-speed traffic, and MIOP@Core provides services for non-broken outtraffic). The MIOP system architecture thus provides a very powerful andflexible solution, allowing dynamic configuring and reconfiguring on thefly of which services are performed by the MIOP components and where. Inaddition, these services may be implemented taking advantage of existinginfrastructure in a mobile data network.

MIOP@NMS 240 is a network management system that monitors and controlsthe functions of MIOP@NodeB 210, MIOP@RNC 220, and MIOP@Core 230.MIOP@NMS 240 preferably includes MIOP internal real-time or nearreal-time performance data monitoring to determine if historical oradditional regional dynamic changes are needed to improve services onthe mobile data network 200. MIOP@NMS 240 provides a user interface thatallows a system administrator to operate and to configure how the MIOPcomponents 210, 220 and 230 function.

The overlay network 250 allows MIOP@NodeB 210, MIOP@RNC 220, MIOP@Core230, and MIOP@NMS 240 to communicate with each other. The overlaynetwork 250 is preferably a virtual private network primarily on anexisting physical network in the mobile data network. Thus, whileoverlay network 250 is shown in FIG. 2 separate from other physicalnetwork connections, this representation in FIG. 2 is a logicalrepresentation.

FIG. 3 shows one suitable implementation of a physical network and theoverlay network in a sample mobile data system. The existing physicalnetwork in the mobile data network before the addition of the MIOP@NodeB210, MIOP@RNC 220, and MIOP@Core 230 is shown by the solid lines witharrows. This specific example in FIG. 3 includes many NodeBs, shown inFIG. 1 as 130A, 130B, 130C, . . . , 130N. Some of the NodeBs have acorresponding MIOP@NodeB. FIG. 3 illustrates that MIOP@NodeBs (such as210A and 210N) can be placed in a basestation with its correspondingNodeB, or can be placed upstream in the network after a point ofconcentration (such as 210A after POC3 310). FIG. 3 also illustratesthat a single MIOP@NodeB such as MIOP@NodeB1 210A can service twodifferent NodeBs, such as NodeB1 130A and NodeB2 130B. Part of theoverlay network is shown by the dotted lines between MIOP@NodeB1 210Aand second point of concentration POC2 320, between MIOP@NodeB3 210C andPOC3 315, between MIOP@NodeBN 210N and POC3 315, and between POC3 315and POC2 320. Note the overlay network in the radio access networkportion is a virtual private network that is implemented on the existingphysical network connections. The overlay network allows the MIOP@NodeBs210A, 210C and 210N to communicate with each other directly, which makessome services possible in the mobile data network 200 that werepreviously impossible. FIG. 3 shows MIOP@NodeB1 210A connected to asecond point of concentration POC2 320. The broken arrows coming in fromabove at POC2 320 represent connections to other NodeBs, and could alsoinclude connections to other MIOP@NodeBs. Similarly, POC2 320 isconnected to a third point of concentration POC1 330, with possiblyother NodeBs or MIOP@NodeBs connected to POC1. The RNC 140 is shownconnected to POC1 330, and to a first router RT1 340 in the corenetwork. The router RT1 340 is also connected to the SGSN 150. While notshown in FIG. 3 for the sake of simplicity, it is understood that SGSNin FIG. 3 is also connected to the upstream core components shown inFIG. 2, including GGSN 160, OSN 170 and internet 180.

As shown in FIG. 3, the overlay network from the NodeBs to POC1 330 is avirtual private network implemented on existing physical networkconnections. However, the overlay network requires a second router RT2350, which is connected via a physical network connection 360 to POC1330, and is connected via physical network connection 370 to MIOP@RNC220. This second router RT2 350 may be a separate router, or may be arouter implemented within MIOP@RNC 220. MIOP@RNC 220 is also connectedto router RT1 340 via a physical network connection 380, and is alsoconnected to MIOP@Core 230. Physical connection 380 in FIG. 3 is shownin a line with short dots because it is not part of the pre-existingphysical network before adding the MIOP components (arrows with solidlines) and is not part of the overlay network (arrows with long dots).Note the connection from MIOP@RNC 220 to MIOP@Core 230 is via existingphysical networks in the core network.

We can see from the configuration of the physical network and overlaynetwork in FIG. 3 that minimal changes are needed to the existing mobiledata network to install the MIOP components. The most that must be addedis one new router 350 and three new physical network connections 360,370 and 380. Once the new router 350 and new physical networkconnections 360, 370 and 380 are installed, the router 350 and MIOPcomponents are appropriately configured, and the existing equipment inthe mobile data network is configured to support the overlay network,the operation of the MIOP components is completely transparent toexisting network equipment.

As can be seen in FIG. 3, data on the overlay network is defined onexisting physical networks from the NodeBs to POC1. From POC1 theoverlay network is on connection 360 to RT2 350, and on connection 370to MIOP@RNC 220. Thus, when MIOP@NodeB 210 in FIG. 2 needs to send amessage to MIOP@RNC 220, the message is sent by sending packets via avirtual private network on the physical network connections to POC1,then to RT2 350, then to MIOP@RNC 220. Virtual private networks arewell-known in the art, so they are not discussed in more detail here.

Referring to FIG. 4, MIOP@NodeB 210 preferably includes a breakoutmechanism 410, an edge service mechanism 430, and an overlay networkmechanism 440. The breakout mechanism 410 determines breakoutpreconditions 420 that, when satisfied, allow breakout to occur at thisedge location. Breakout mechanism 410 in MIOP@NodeB 210 communicateswith the breakout mechanism 510 in MIOP@RNC 220 shown in FIG. 5 to reacha breakout decision. The breakout mechanism 410, after receiving amessage from MIOP@RNC 220 authorizing breakout on connection setupintercepts in particular the setup of the transport layer (allocation ofthe UDP Port, IP address or AAL2 channel). For authorized sessions thebreakout mechanism 410 will be configured in a way that all trafficbelonging to this UDP Port, IP address to AAL2 channel will be forwardedto a data offload function. For traffic that should not be broken out,the breakout mechanism 410 sends the data on the original data path inthe radio access network. In essence, MIOP@NodeB 210 intercepts allcommunications to and from the basestation 130, and can perform services“at the edge”, meaning at the edge of the radio access network that isclose to the user equipment 110. By performing services at the edge, theservices to subscribers may be increased or optimizes without requiringhardware changes to existing equipment in the mobile data network.

The breakout mechanism 410 preferably includes breakout preconditions420 that specify one or more criterion that must be satisfied beforebreakout of data is allowed. One suitable example of breakoutpreconditions is the speed of the channel. In one possibleimplementation, only high-speed channels will be broken out atMIOP@NodeB 210. Thus, breakout preconditions 420 could specify thatsubscribers on high-speed channels may be broken out, while subscriberson low-speed channels are not broken out at MIOP@NodeB 210. When thebreakout preconditions 420 are satisfied, the MIOP@NodeB 210 registersthe subscriber session with MIOP@RNC 220. This is shown in method 800 inFIG. 8. MIOP@NodeB 210 intercepts and monitors network traffic to andfrom NodeB (basestation) (step 810). When the traffic does not satisfythe breakout preconditions (step 820=NO), method 800 returns to step810. When the traffic satisfies the breakout conditions (step 820=YES),MIOP@NodeB 210 sends a message to MIOP@RNC 220 on the overlay network250 to register the subscriber session for breakout (step 830). With thesubscriber session registered with MIOP@RNC 220, the MIOP@RNC 220 willdetermine whether or not to breakout data for the subscriber session,and where the breakout is done, as explained in more detail below.

Referring back to FIG. 4, MIOP@NodeB 210 also includes an edge servicemechanism 430. The edge service mechanism 430 provides one or moreservices for the mobile data network 200. The edge service mechanism 430may include any suitable service for the mobile data network includingwithout limitation caching of data, data or video compressiontechniques, push-based services, charging, application serving,analytics, security, data filtering, new revenue-producing services,etc. The edge service mechanism is the first of three service mechanismsin the MIOP components. While the breakout mechanism 410 and edgeservice mechanism 430 are shown as separate entities in FIG. 4, thefirst service mechanism could include both breakout mechanism 410 andedge service mechanism 430.

MIOP@NodeB 210 also includes an overlay network mechanism 440. Theoverlay network mechanism 440 provides a connection to the overlaynetwork 250 in FIG. 2, thereby allowing MIOP@NodeB 210 to communicatewith MIOP@RNC 220, MIOP@Core 230, and MIOP@NMS 240. As stated above, theoverlay network 250 is preferably a virtual private network primarily onan existing physical network in the mobile data network 200.

Referring to FIG. 5, MIOP@RNC 220 preferably includes a breakoutmechanism 510, an RNC service mechanism 540, an overlay networkmechanism 550, and business intelligence 560. Breakout mechanism 510includes breakout criteria 520 that specifies one or more criterionthat, when satisfied, allows breakout of data. Subscriber registrationmechanism 530 receives messages from MIOP@NodeB 210, and registerssubscriber sessions for which the breakout preconditions 420 inMIOP@NodeB 210 are satisfied. When the breakout mechanism 510 determinesthe breakout criteria 520 is satisfied, the breakout mechanism 510 willthen determine where the breakout should occur. When the breakout canoccur at MIOP@NodeB 210, the MIOP@RNC 220 sends a message to MIOP@NodeB210 on the overlay network 250 authorizing breakout at MIOP@NodeB 210.When the breakout should occur at MIOP@RNC 220, the breakout mechanism510 in MIOP@RNC 220 performs the breakout as well for the trafficremaining then). This is shown in more detail in method 1000 in FIG. 10.MIOP@RNC monitors network traffic between the radio network controller140 and the serving node 150 (step 1010). When the traffic does notsatisfy the breakout criteria (step 1020=NO), method 1000 loops back tostep 1010. When the network traffic satisfies the breakout criteria(step 1020=YES), the breakout mechanism 510 determines whether thesubscriber session is registered for breakout (step 1030). A subscribersession is registered for breakout when the MIOP@NodeB 210 determinedthe traffic satisfied the breakout preconditions and registered thesubscriber session for breakout, as shown in FIG. 8. Returning to FIG.10, when the subscriber is registered for breakout (step 1030=YES),MIOP@RNC 220 sends a message via the overlay network 250 to MIOP@NodeB210 authorizing breakout of traffic for the subscriber session (step1040). MIOP@NodeB 210 may then breakout traffic for the subscribersession (step 1050). When the subscriber is not registered for breakout(step 1030=NO), method 1000 checks to see if MIOP@RNC is going to dobreakout (step 1060). If not (step 1060=NO), method 1000 is done. WhenMIOP@RNC is going to do breakout (step 1060=YES), the traffic is thenbroken out at MIOP@RNC (step 1070).

In one specific example, the breakout preconditions specify onlyhigh-speed channels are broken out at MIOP@NodeB 210, and when thebreakout preconditions are satisfied, the subscriber session isregistered for breakout, as shown in FIG. 8. FIG. 10 illustrates thateven when the breakout preconditions are not satisfied, breakout canstill be performed at MIOP@RNC 220. Thus, even if the subscriber sessionis on a low-speed channel, if all the other breakout criteria aresatisfied, breakout of the low-speed channel may be performed atMIOP@RNC 220. The mobile data network 200 thus provides greatflexibility in determining when to do breakout and where.

Referring back to FIG. 5, the RNC service mechanism 540 provides one ormore services for the mobile data network. RNC service mechanism 540 isthe second of three service mechanisms in the MIOP components. The RNCservice mechanism 540 may include any suitable service for the mobiledata network, including without limitation caching of data, data orvideo compression techniques, push-based services, charging, applicationserving, analytics, security, data filtering, new revenue-producingservices, etc.

While the breakout mechanism 510 and RNC service mechanism 540 are shownas separate entities in FIG. 5, the second service mechanism couldinclude both breakout mechanism 510 and RNC service mechanism 540. Theoverlay network mechanism 550 is similar to the overlay networkmechanism 440 in FIG. 4, providing a logical network connection to theother MIOP components on the overlay network 250 in FIG. 2. MIOP@RNC 220also includes business intelligence 560, which includes:

-   -   1) historical subscriber information received from the mobile        data network over time, such as mobility and location, volumes,        traffic types, equipment used, etc.    -   2) network awareness, including NodeB load states, service area        code, channel type, number of times channel type switching        occurred for a PDP session, serving cell ID, how many cells and        their IDs are in the active set, PDP context type, PDP sessions        per subscriber, session duration, data consumption, list of        Uniform Resource Locators (URLs) browsed for user        classification, top URL browsed, first time or repeat user,        entry point/referral URLs for a given site, session tracking,        etc.    -   3) association of flow control procedures between NodeB and RNC        to subscribers.

The business intelligence 560 may be instrumented by the RNC servicemechanism 540 to determine when and what types of MIOP services toperform for a given subscriber. For example, services for a subscriberon a mobile phone may differ when compared to services for a subscriberusing a laptop computer to access the mobile data network. In anotherexample, voice over internet protocol (VOIP) session could have the databroken out.

Referring to FIG. 6, the MIOP@Core 230 includes a core service mechanism610 and an overlay network mechanism 620. Core service mechanism 610provides one or more services for the mobile data network. Core servicemechanism 610 is the third of three service mechanisms in the MIOPcomponents. The core service mechanism 610 may include any suitableservice for the mobile data network, including without limitationcaching of data, data or video compression techniques, push-basedservices, charging, application serving, analytics, security, datafiltering, new revenue-producing services, etc. In one specificimplementation, the MIOP@Core 230 is an optional component, because allneeded services could be performed at MIOP@NodeB 210 and MIOP@RNC 220.In an alternative implementation, MIOP@Core 230 performs some services,while MIOP@RNC performs others or none. The overlay network mechanism620 is similar to the overlay network mechanisms 440 in FIGS. 4 and 550in FIG. 5, providing a logical network connection to the other MIOPcomponents on the overlay network 250 in FIG. 2.

Referring to FIG. 7, the MIOP@NMS 240 is a network management systemthat monitors and manages performance of the mobile data network 200,and controls the function of MIOP@NodeB 210, MIOP@RNC 220, and MIOP@Core230. MIOP@NMS 240 preferably includes a network monitoring mechanism710, a performance management mechanism 720, a security managementmechanism 730, and a configuration management mechanism 740. The networkmonitoring mechanism 710 monitors network conditions, such as alarms, inthe mobile data network 200. The performance management mechanism 720can enable, disable or refine certain services by supporting theexecution of services in real-time or near real-time, such as servicesthat gather information to assess customer satisfaction. The securitymanagement mechanism 730 manages security issues in the mobile datanetwork, such as intrusion detection or additional data privacy. Theconfiguration management mechanism 740 controls and manages theconfiguration of MIOP@NodeB 210, MIOP@RNC 220, and MIOP@Core 230 in away that allows them to dynamically adapt to any suitable criteria,including data received from the network monitoring mechanism, time ofday, information received from business intelligence 560, etc.

FIG. 9 shows sample breakout criteria 520 shown in FIG. 5 and used instep 1020 in FIG. 10. Suitable breakout criteria 520 includes accesspoint name, user equipment identifier, user equipment type, quality ofservice, subscriber ID, mobile country code, and mobile network code.For example, breakout criteria 520 could specify to perform MIOPservices for the operator's subscribers, and not to perform MIOPservices for roamers. In another example, the breakout criteria 520could specify to break out only video requests. A static breakoutdecision will be performed during PDP Context Activation. Based on IPflows (e.g. shallow packet inspection of the IP 5 tuple) only specificIP flows maybe identified and broken out dynamically within that PDPsubscriber session (e.g., VOIP traffic), as discussed in more detailbelow with respect to FIG. 11. Breakout criteria 520 expressly extendsto any suitable criteria for making the breakout decision.

Referring again to FIG. 10, when the traffic satisfies the breakoutcriteria (step 1020=YES), and the subscriber session is registered forbreakout (step 1030=YES), MIOP@RNC sends a message to MIOP@NodeBauthorizing breakout of traffic for this subscriber session (step 1040).In response, MIOP@NodeB begins decrypting the bearer, examining thesignaling and user IP traffic tunneled through it and may breakout thetraffic for this subscriber session (step 1050). Note, however,MIOP@NodeB may still decide not to breakout all traffic based on othercriteria, such as type of IP request the destination of the traffic orthe ISO Layer 7 Application of the decrypted user traffic. Determinationof the Application may be performed simply by inspection of the IP5-tuple or optionally via inspection at layer 7 using Deep PacketInspection (DPI) techniques. This is shown in the specific example inFIG. 11. Method 1050 in FIG. 10 is one suitable implementation of step1050 in FIG. 10. MIOP@NodeB monitors IP requests from the subscriber(step 1110). When the user traffic IP request matches a specified typecriteria (step 1120=YES), the IP session is broken out for thesubscriber (step 1130). When the IP request does not match a specifiedcriteria type (step 1120=NO), no breakout is performed. For example,let's assume that IP requests to access video over the RTP layer 7Application Protocol are broken out so the video data may be cached inMIOP@NodeB 210, but other requests, such as Google searches, are not.The MIOP@NodeB monitors the IP requests from the subscriber (step 1110),and when the subscriber session IP request carries RTP traffic is for avideo file (step 1120=YES), the IP session is broken out (step 1130).Otherwise, the IP session is not broken out at MIOP@NodeB. This is onesimple example to illustrate additional flexibility and intelligencewithin MIOP@NodeB that may determine whether or not to perform breakoutfor a given subscriber session at the MIOP@NodeB after being authorizedby MIOP@RNC to perform breakout for that subscriber session. Anysuitable criteria could be used to determine what to breakout and whenat MIOP@NodeB once MIOP@NodeB has been authorized for breakout in step1040 in FIG. 10.

Referring to FIG. 12, method 1200 shows a method for determining when torun MIOP services. The Packet Data Protocol (PDP) activation context fora subscriber is monitored (step 1210). A PDP activation context isestablished when user equipment 110 connects to tower 120 and thesubscriber runs an application that triggers the PDP activationprocedure. The core network will determine the subscriber, and perhapscorresponding user equipment. When MIOP services are allowed (step1220=YES), services for this subscriber session are run (step 1230) uponthe arrival of data from the subscriber. When MIOP services are notallowed (step 1220=NO), no MIOP services are run. In one simple example,MIOP services in the mobile data network are allowed for authorizedsubscribers, but are not allowed for subscribers from a differentwireless company that are roaming.

MIOP services may require communicating between MIOP components on theoverlay network. Referring to FIG. 13, a method 1300 showscommunications by MIOP@NodeB when MIOP services are running (step 1310).When the edge service mechanism requires communication with MIOP@RNC(step 1320=YES), MIOP@NodeB exchanges messages with MIOP@RNC over theoverlay network (step 1330). When the edge service mechanism requirescommunication with MIOP@Core (step 1340=YES), MIOP@NodeB exchangesmessages with MIOP@Core over the overlay network (step 1350). Theoverlay network thus allows the various MIOP components to communicatewith each other when MIOP services are running.

FIG. 14 shows a method 1400 that shows communications by MIOP@RNC whenMIOP services are running (step 1410). When the RNC service mechanismrequires communication with MIOP@NodeB (step 1420=YES), MIOP@RNCexchanges messages with MIOP@NodeB over the overlay network (step 1430).When the RNC service mechanism requires communication with MIOP@Core(step 1440=YES), MIOP@RNC exchanges messages with MIOP@Core over theoverlay network (step 1450).

FIG. 15 shows a method 1500 that shows communications by MIOP@Core whenMIOP services are running (step 1510). When the core service mechanismrequires communication with MIOP@NodeB (step 1520=YES), MIOP@Coreexchanges messages with MIOP@NodeB over the overlay network (step 1530)relayed via MIOP@RNC. When the core service mechanism requirescommunication with MIOP@RNC (step 1540=YES), MIOP@Core exchangesmessages with MIOP@RNC over the overlay network (step 1550).

FIG. 16 shows a method 1600 that is preferably performed by MIOP@NMS 240in FIGS. 2 and 7. The performance and efficiency of the MIOP componentsthat perform MIOP services are monitored (step 1610). The MIOPcomponents that perform MIOP services may include MIOP@NodeB 210,MIOP@RNC 220, and MIOP@Core 230, assuming all of these components arepresent in the mobile data network 200. When performance may be improved(step 1620=YES), the performance of the MIOP components is adjusted (ifimplemented and applicable) by sending one or more network messages viathe overlay network (step 1630). Note also a human operator could alsomanually reconfigure the MIOP components to be more efficient.

Referring to FIG. 17, implementations for MIOP@NodeB 210 and MIOP@RNC220 are shown by way of example. Other implementations are possiblewithin the scope of the disclosure and claims herein. User equipment 110is connected to NodeB 130. Note the antenna 120 shown in FIG. 2 is notshown in FIG. 17, but is understood to be present to enable thecommunication between user equipment 110 and NodeB 130. MIOP@NodeB 210includes an edge cache mechanism 1730, which is one suitable example ofedge service mechanism 430 in FIG. 4. MIOP@NodeB 210 includes aninterface referred to herein as IuB Data Offload Gateway (IuB DOGW)1710. This gateway 1710 implements the breakout mechanism 410 accordingto one or more specified breakout preconditions 420 shown in FIG. 4. IuBDOGW 1710 includes a switching application 1740, an offload data handler1750, and an RNC channel handler 1760. The switching application 1740 isresponsible for monitoring data packets received from NodeB 130,forwards according to it configuration the broken out data packets tothe offload data handler, relays the non-broken out data packets andcontrol system flows to the RNC 140 via the original connections in theRAN. While switching application 1740 is shown as two separate boxes inFIG. 17, this is done to visually indicate the switching application1740 performs switching on two different interfaces, the networkinterface and overlay network interface, but the switching application1740 is preferably a single entity.

When a breakout decision is made and MIOP@RNC 220 sends a message toMIOP@NodeB 210 authorizing breakout (see step 1040 in FIG. 10), whenMIOP@NodeB decides to breakout specified user data, the specified userdata received by the switching application 1740 from NodeB 130 is brokenout, which means the switching application 1740 routes the specifieduser data to the offload data handler 1750 so the broken out data isrouted to the data path defined for breakout data. The offload datahandler 1750 may send the data to the edge cache mechanism 1730 forprocessing, which can route the data directly to MIOP@RNC 220 via theoverlay network, as shown by the path with arrows going from NodeB 130to MIOP@RNC 220.

User data that is not broken out and signaling traffic is routeddirectly back by the switching application 1740 to RNC. In this manner,non-broken out data and signaling traffic passes through the IuB DOGW1710 to RNC 140, while broken out data is routed by the IuB DOGW 1710 toa different destination. Note that edge cache mechanism 1730 may sendmessages to MIOP@RNC 220 as shown in FIG. 17, but the broken outmessages themselves are not sent to MIOP@RNC 220.

MIOP@RNC 220 includes an interface referred to herein as IuPS dataoffload gateway (IuPS DOGW) 1770. IuPS DOGW 1770 forwards all signalingand non-broken out data traffic from RNC 140 to SGSN 150 via the GTPtunnel. IuPS DOGW 1770 includes the breakout mechanism 510, breakoutcriteria 520 and subscriber registration mechanism 530 shown in FIG. 5and discussed above with reference to FIG. 5. IuPS DOGW 1770 mayexchange messages with IuB DOGW 1710 via the overlay network to performany needed service in MIOP@NodeB 210 or MIOP@RNC 220. For the specificimplementation shown in FIG. 17, while the IuPS DOGW 1770 in MIOP@RNC220 does not include an offload data handler, the IuPS DOGW 1770 couldinclude an offload data handler and switching application similar tothose shown in MIOP@NodeB 210 when MIOP@RNC 220 also needs to performbreakout of data.

The IuPS DOGW 1770 includes an RNC channel handler 1780. The RNC channelhandlers 1760 in MIOP@NodeB 210 and 1780 in MIOP@RNC 220 monitor datatraffic to and from RNC 140 related to a broken out subscriber sessionand provide a keep-alive channel maintenance mechanism.

Specific methods are shown in FIGS. 18-21 that illustrate how thespecific implementation in FIG. 17 could be used. FIGS. 18 and 19 show amethod 1800 for setting up breakout of data. The UE sends a connectionrequest to the RNC (step 1810). The RNC sets up a radio link via NodeB(step 1815). The RNC then sets up a network connection with NodeB (step1820). The UE and SGSN then communicate for the attach andauthentication procedure (step 1825). IuB DOGW detects the leadingmessage in the attach and authentication procedure, and registers thesubscriber session with IuPS DOGW when preconditions are fulfilled (e.g.UE is capable to carry high speed traffic) (step 1830). During theattach and authentication procedure, IuPS DOGW monitors the securitycontext sent from SGSN to RNC (step 1835). IuPS DOGW then sends keys toIuB DOGW (step 1840). These keys are needed to decipher (decrypt) theupcoming signaling and uplink user data and to cipher (encrypt) thedownlink user data. UE then requests PDP context activation to SGSN(step 1845). In response, SGSN sets up a network tunnel to RNC (step1850). IuPS DOGW monitors network tunnel setup from SGSN to RNC andmakes a decision breakout=YES (step 1855). IuPS DOGW sends a message toIuB DOGW indicating breakout=YES (step 1860). Continuing on FIG. 19,SGSN sends an RAB assignment request to UE (step 1865). IuPS DOGWdetects the RAB assignment request from SGSN to UE and replaces the SGSNtransport address with IuPS DOGW transport address (step 1870). IuPSDOGW sends a message to MIOP@Core indicating breakout=YES (step 1875).RNC communicates with NodeB and UE to (re) configure signaling and dataradio bearer (step 1880). RNC acknowledges to SGSN when RAB assignmentis complete (step 1885). SGSN accepts PDP context activation by sendinga message to UE (step 1890). UE and SGSN may then exchange data for thePDP context (step 1895).

Referring to FIG. 20, a method 2000 begins by establishing a PDP context(step 2010). Method 1800 in FIGS. 18 and 19 include the detailed stepsfor establishing a PDP context. When breakout=YES, RAB assignmentrequests from SGSN to RNC are monitored by IuPS DOGW (step 2020). IuPSDOGW modifies any RAB assignment requests from SGSN to RNC to replacethe SGSN transport address in the RAB assignment request with the IuPSDOGW transport address (step 2030) in case of matching breakout criteriaduring PDP context activation procedure. The switching application onIuB DOGW is configured upon the RAN transport layer setup to identifybased on IP addresses and ports the broken out traffic and forwards thistraffic to the Offload data handler 1765, and forwards non-broken outtraffic and control system data flows to the RNC (step 2040).

Referring to FIG. 21, a method 2100 begins when NodeB sends data towardsRNC (step 2110). The switching application in IuB DOGW redirects thebroken out traffic to the edge service mechanism (step 2120), such asedge cache mechanism 1730 in FIG. 17. The switching application alsoforwards non-broken out data and signaling data to the RNC (step 2130)via the original RAN connections. The RNC can still receive data fornon-broken out traffic from MIOP@NodeB when breakout=YES (step 2140).The RNC then sends non-broken out traffic from MIOP@NodeB from UE whenbreakout=YES to IuPS DOGW transport address specified in RAB assignmentrequest (step 2150).

A simple example is now provided for the specific implementation in FIG.17 to show how data can be cached and delivered by MIOP@NodeB 210.Referring to FIG. 22, method 2200 represents steps performed in theimplementation in FIG. 17 for a cache miss. UE sends a data request toNodeB (step 2210). NodeB sends the data request to IuB DOGW (step 2215).We assume the requested data meets the offload criteria at MIOP@NodeB(step 2220), which means MIOP@NodeB has been authorized to performbreakout and has determined this requested data should be broken out.IuB DOGW sends the data request to the edge cache mechanism (step 2225).We assume the data is not present in the edge cache mechanism, so due tothe cache miss, the edge cache mechanism sends the data request back toIuB DOGW (step 2230). IuB DOGW then forwards the data request toMIOP@RNC via the overlay network (step 2235). In the worst case thecontent is not cached on MIOP@RNC or MIOP@Core, MIOP@RNC routes the datarequest to via the overlay network to the MIOP@Core, which passes thedata request up the line to the internet, which delivers the requesteddata to MIOP@Core, which delivers the requested data via the overlaynetwork to MIOP@RNC (step 2240). IuPS DOGW then sends the requested datato IuB DOGW (step 2245). IuB DOGW then sends the requested data to theedge cache mechanism (step 2250). The edge cache mechanism caches therequested data (step 2255). The edge cache mechanism sends the requesteddata to IuB DOGW (step 2260). The offload data handler in IuB DOGW sendsthe requested data to NodeB (step 2265). NodeB then sends the requesteddata to UE (step 2270). At this point, method 2200 is done.

Method 2300 in FIG. 23 shows the steps performed for a cache hit in thespecific implementation in FIG. 17. The UE sends the data request toNodeB (step 2310). NodeB sends the data request to IuB DOGW (step 2320).The requested data meets the offload criteria at MIOP@NodeB (step 2330).IuB DOGW sends the data request to the edge cache mechanism (step 2340).Due to a cache hit, the edge cache mechanism sends the requested datafrom the cache to IuB DOGW (step 2350). The offload data handler in IuBDOGW sends the requested data to NodeB (step 2360). Node B then sendsthe requested data to UE (step 2370). Method 2300 shows a greatadvantage in caching data at MIOP@NodeB. With data cached at MIOP@NodeB,the data may be delivered to the user equipment without any backhaul onthe core network. The result is reduced network congestion in the corenetwork while improving quality of service to the subscriber.

The methods shown in FIGS. 18-23 provide detailed steps for the specificimplementation in FIG. 17. Other implementations may have detailed stepsthat are different than those shown in FIGS. 18-23. These are shown byway of example, and are not limiting of the disclosure and claimsherein.

The architecture of the MIOP system allows services to be layered ornested. For example, the MIOP system could determine to do breakout ofhigh-speed channels at MIOP@NodeB, and to do breakout of low-speedchannels at MIOP@RNC. In another example, MIOP@NodeB may have a cache,MIOP@RNC may also have a cache, and MIOP@Core may also have a cache. Ifthere is a cache miss at MIOP@NodeB, the cache in MIOP@RNC could bechecked, followed by checking the cache in MIOP@Core. Thus, decisionscan be dynamically made according to varying conditions of what data tocache and where.

To support the MIOP services that are possible with the mobile datanetwork 200 shown in FIG. 2, the preferred configuration of MIOP@NodeB210 is a combination of hardware and software. The preferredconfiguration of MIOP@RNC 220 is also a combination of hardware andsoftware. The preferred configuration of MIOP@Core 230 is software only,and can be run on any suitable hardware in the core network. Thepreferred configuration of MIOP@NMS 240 is software only, and can alsobe run on any suitable hardware in the core network.

In the most preferred implementation, the various functions ofMIOP@NodeB 210, MIOP@RNC 220, MIOP@Core 230, and MIOP@NMS 240 areperformed in a manner that is nearly transparent to existing equipmentin the mobile data network. Thus, the components in prior art mobiledata network 100 that are also shown in the mobile data network 200 inFIG. 2 have no knowledge of the existence of the various MIOPcomponents, with the exception of existing routers that may need to beupdated with routing entries corresponding to the MIOP components. TheMIOP services are provided by the MIOP components in a way that requiresno changes to hardware and only minor changes to software (i.e., newrouter entries) in any existing equipment in the mobile data network,thereby making the operation of the MIOP components transparent to theexisting equipment once the MIOP components are installed andconfigured. The result is a system for upgrading existing mobile datanetworks as shown in FIG. 1 in a way that does not require extensivehardware or software changes to the existing equipment. The MIOPservices herein can thus be performed without requiring significantcapital expenditures to replace or reprogram existing equipment.

Referring to FIG. 24, one suitable hardware architecture for MIOP@NodeB2410 is shown. MIOP@NodeB 2410 is one specific implementation forMIOP@NodeB 210 shown in FIGS. 2, 4 and 17. MIOP@NodeB 2410 is onesuitable example of a breakout component that may be incorporated intoan existing mobile data network. The specific architecture was developedbased on a balance between needed function and cost. The hardwarecomponents shown in FIG. 24 may be common off-the-shelf components. Theyare interconnected and programmed in a way to provided needed functionwhile keeping the cost low by using off-the-shelf components. Thehardware components shown in FIG. 24 include a system controller 2412, aservice processor 2420, a security subsystem 2430, and a telco breakoutsubsystem 2450. In one suitable implementation for MIOP@NodeB 2410 shownin FIG. 24, the system controller 2412 is an x86 system. The serviceprocessor 2420 is an IBM Integrated Management Module version 2 (IMMv2).The security subsystem 2430 includes an ATMEL processor and anon-volatile memory such as a battery-backed RAM for holding keys. Thetelco breakout system 2450 performs the breakout functions forMIOP@NodeB 2410. In this specific implementation, the x86 and IMMv2 areboth on a motherboard that includes a Peripheral Component InterconnectExpress (PCIe) slot. A riser card plugged into the PCIe slot on themotherboard includes the security subsystem 2430, along with two PCIeslots for the telco breakout system 2450. The telco breakout system 2450may include a telco card and a breakout card that performs breakout asdescribed in detail above with respect to FIG. 17.

One suitable x86 processor that could serve as system controller 2412 isthe Intel Xeon E3-1220 processor. One suitable service processor 2420 isan IBM Renassas SH7757, but other known service processors could beused. One suitable processor for the security subsystem 2430 is an ATMELprocessor UC3 L064, and one suitable non-volatile memory for thesecurity subsystem 2430 is a DS3645 battery-backed RAM from Maxim. Onesuitable processor for the telco breakout subsystem 2450 is the CaviumOcteon II CN63XX.

Various functions of the MIOP@NodeB 2410 shown in FIG. 24 are dividedamongst the different components. Referring to FIG. 25, the systemcontroller 2412 implements an appliance mechanism 2510, a platformservices mechanism 2520, and an edge application serving mechanism 2530.The appliance mechanism 2510 provides an interface to MIOP@NodeB thathides the underlying hardware and software architecture by providing aninterface that allows configuring and using MIOP@NodeB without knowingthe details of the underlying hardware and software. The platformservices mechanism 2520 provides messaging support between thecomponents in MIOP@NodeB, allows managing the configuration of thehardware and software in MIOP@NodeB, and monitors the health of thecomponents in MIOP@NodeB. The edge application serving mechanism 2530allows software applications to run within MIOP@NodeB that perform oneor more mobile network services at the edge of the mobile data networkin response to broken-out data received from user equipment or sent touser equipment. In the most preferred implementation, the data brokenout and operated on by MIOP@NodeB is Internet Protocol (IP) datarequests received from the user equipment and IP data sent to the userequipment. The edge application service mechanism 2530 may serve bothapplications provided by the provider of the mobile data network, andmay also serve third party applications as well. The edge applicationserving mechanism 2530 provides a plurality of mobile network servicesto user equipment at the edge of the mobile data network in a way thatis mostly transparent to existing equipment in the mobile data network.

Referring to FIG. 26, the service processor 2420 includes a thermalmonitor/control mechanism 2610, a hardware monitor 2620, a fail-to-wirecontrol mechanism 2630, a key mechanism 2640, a system controllermonitor/reset mechanism 2650, and a display/indicator mechanism 2660.The thermal monitor/control mechanism 2610 monitors temperatures andactivates controls to address thermal conditions. For example, thethermal monitor 2610 monitors temperature within the MIOP@NodeBenclosure, and activates one or more fans within the enclosure when thetemperature exceeds some threshold. In addition, the thermalmonitor/control mechanism 2610 may also monitor temperature in thebasestation external to the MIOP@NodeB enclosure, and may controlenvironmental systems that heat and cool the basestation itself externalto the MIOP@NodeB enclosure. The hardware monitor 2620 monitors hardwarefor errors. Examples of hardware that could be monitored with hardwaremonitor 2620 include CPUs, memory, power supplies, etc. The hardwaremonitor 2620 could monitor any of the hardware within MIOP@NodeB 2410.

The fail-to-wire control mechanism 2630 is used to switch a fail-to-wireswitch to a first operational state when MIOP@NodeB is fully functionalthat causes data between the upstream computer system and the downstreamcomputer system to be processed by MIOP@NodeB 2410, and to a secondfailed state that causes data to be passed directly between the upstreamcomputer system and the downstream computer system without beingprocessed by MIOP@NodeB 2410. The key mechanism 2640 provides aninterface for accessing the security subsystem 2430. The systemcontroller monitor/reset mechanism 2650 monitors the state of the systemcontroller 2412, and resets the system controller 2412 when needed. Thedisplay/indicator mechanism 2660 activates a display and indicators onthe front panel of the MIOP@NodeB to provide a visual indication of thestatus of MIOP@NodeB.

Referring to FIG. 27, the security subsystem 2430 includes a key storage2702 that is a non-volatile storage for keys, such as a battery-backedRAM. The security subsystem 2430 further includes a key mechanism 2710and a tamper detection mechanism 2720. Key mechanism 2710 stores keys tothe non-volatile key storage 2702 and retrieves keys from thenon-volatile key storage 2702. Any suitable keys could be stored in thekey storage 2702. The security subsystem 2430 controls access to thekeys stored in key storage 2702 using key mechanism 2710. The tamperdetection mechanism 2720 detects physical tampering of MIOP@NodeB, andperforms functions to protect sensitive information within MIOP@NodeBwhen physical tampering is detected. The enclosure for MIOP@NodeBincludes tamper switches that are triggered if an unauthorized persontries to open the box. In response, the tamper detection mechanism maytake any suitable action, including actions to protect sensitiveinformation, such as not allowing MIOP@NodeB to boot the next time,erasing keys in key storage 2702, and actions to sound an alarm that thetampering has occurred.

Referring to FIG. 28, the telco breakout system 2450 includes a telcocard 2802, a breakout mechanism 2810, and an overlay network mechanism2820. Telco card 2802 is any suitable card for handling networkcommunications in the radio access network. Breakout mechanism 2810 isone specific implementation for breakout mechanism 410 shown in FIG. 4.Breakout mechanism 2810 performs the breakout functions as described indetail above. The breakout mechanism 2810 interrupts the connectionbetween the NodeB and the next upstream component in the radio accessnetwork, such as the RNC, as shown in FIG. 2. Non-broken out data fromthe upstream component is simply passed through MIOP@NodeB to the NodeB.Non-broken out data from the NodeB is simply passed through MIOP@NodeBto the upstream component. Note the path for non-broken out data is thetraditional path for data in the mobile data network before the MIOPcomponents were added. Broken-out data is intercepted by MIOP@NodeB, andmay be appropriate processed at MIOP@NodeB, or may be routed to anupstream component via a different data path, such as to MIOP@RNC viathe overlay network. The telco breakout system 2450 includes an overlaynetwork mechanism 2820 that allows MIOP@NodeB 2410 to communicate viathe overlay network. For example, MIOP@NodeB 2410 could use overlaynetwork mechanism 2820 to communicate with MIOP@RNC 220 or tocommunicate with other MIOP@NodeBs.

The edge application mechanism 2530 may provide many different mobilenetwork services. Examples of some of these services are shown in FIG.29. This specific implementation for edge application mechanism 2530includes an edge caching mechanism 2910, a push-based service mechanism2920, a third party edge application serving mechanism 2930, ananalytics mechanism 2940, a filtering mechanism 2950, arevenue-producing service mechanism 2960, and a charging mechanism 2970.The edge caching mechanism 2910 is one suitable implementation of edgecache mechanism 1730 shown in FIG. 17, and includes the functionsdescribed above with respect to FIG. 17. The push-based servicemechanism 2920 provides support for any suitable push-based service,whether currently known or developed in the future. Examples of knownpush-based services include without limitation incoming text messages,incoming e-mail, instant messaging, peer-to-peer file transfers, etc.

The third party edge application serving mechanism 2930 allows runningthird party applications that provide mobile network services at theedge of the mobile data network. The capability provided by the thirdparty edge application serving mechanism 2930 opens up new ways togenerate revenue in the mobile data network. The operator of the mobiledata network may generate revenue both from third parties that offeredge applications and from subscribers who purchase or use edgeapplications. Third party applications for user equipment has become avery profitable business. By also providing third party applicationsthat can run at the edge of the mobile data network, the experience ofthe user can be enhanced. For example, face recognition software is verycompute-intensive. If the user were to download an application to theuser equipment to perform face recognition in digital photographs, theperformance of the user equipment could suffer. Instead, the user couldsubscribe to or purchase a third party application that runs at the edgeof the mobile data network (executed by the third party edge applicationserving mechanism 2930) that performs face recognition. This would allowa subscriber to upload a photo and have the hardware resources inMIOP@NodeB perform the face recognition instead of performing the facerecognition on the user equipment. We see from this simple example it ispossible to perform a large number of different functions at the edge ofthe mobile data network that were previously performed in the userequipment or upstream in the mobile data network. By providingapplications at the edge of the mobile data network, the quality ofservice for subscribers increases.

The analytics mechanism 2940 performs analysis of broken-out data. Theresults of the analysis may be used for any suitable purpose or in anysuitable way. For example, the analytics mechanism 2940 could analyze IPtraffic on MIOP@NodeB, and use the results of the analysis to moreintelligently cache IP data by edge caching mechanism 2910. In addition,the analytics mechanism 2940 makes other revenue-producing servicespossible. For example, the analytics mechanism 2940 could track IPtraffic and provide advertisements targeted to user equipment in aparticular geographic area served by the basestation. Because data isbeing broken out at MIOP@NodeB, the analytics mechanism 2940 may performany suitable analysis on the broken out data for any suitable purpose.

The filtering mechanism 2950 allows filtering content delivered to theuser equipment by MIOP@NodeB. For example, the filtering mechanism 2950could block access to adult websites by minors. This could be done, forexample, via an application on the user equipment or via a third partyedge application that would inform MIOP@NodeB of access restrictions,which the filtering mechanism 2950 could enforce. The filteringmechanism 2950 could also filter data delivered to the user equipmentbased on preferences specified by the user. For example, if thesubscriber is an economist and wants news feeds regarding economicissues, and does not want to read news stories relating to elections orpolitics, the subscriber could specify to exclude all stories thatinclude the word “election” or “politics” in the headline. Of course,many other types of filtering could be performed by the filteringmechanism 2950. The filtering mechanism 2950 preferably performs anysuitable data filtering function or functions, whether currently knownor developed in the future.

The revenue-producing service mechanism 2960 provides new opportunitiesfor the provider of the mobile data network to generate revenue based onthe various functions MIOP@NodeB provides. An example was given abovewhere the analytics mechanism 2940 can perform analysis of data brokenout by MIOP@NodeB, and this analysis could be provided by therevenue-producing service mechanism 2960 to interested parties for aprice, thereby providing a new way to generate revenue in the mobiledata network. Revenue-producing service mechanism 2960 broadlyencompasses any way to generate revenue in the mobile data network basedon the specific services provided by any of the MIOP components.

The charging mechanism 2970 provides a way for MIOP@NodeB to inform theupstream components in the mobile data network when the subscriberaccesses data that should incur a charge. Because data may be providedto the subscriber directly by MIOP@NodeB without that data flowingthrough the normal channels in the mobile data network, the chargingmechanism 2970 provides a way for MIOP@NodeB to charge the subscriberfor services provided by MIOP@NodeB of which the core network is notaware. The charging mechanism 2970 tracks the activity of the user thatshould incur a charge, then informs a charging application in the corenetwork that is responsible for charging the subscriber of the chargesthat should be billed.

The hardware architecture of MIOP@NodeB shown in FIGS. 24-29 allowsMIOP@NodeB to function in a way that is mostly transparent to existingequipment in the mobile data network. For example, if an IP request fromuser equipment may be satisfied from data held in a cache by edgecaching mechanism 2910, the data may be delivered directly to the userequipment by MIOP@NodeB without traversing the entire mobile datanetwork to reach the Internet to retrieve the needed data. This cangreatly improve the quality of service for subscribers by performing somany useful functions at the edge of the mobile data network. The corenetwork will have no idea that MIOP@NodeB handled the data request,which means the backhaul on the mobile data network is significantlyreduced. The MIOP components disclosed herein thus provide a way tosignificantly improve performance in a mobile data network by adding theMIOP components to an existing mobile data network without affectingmost of the functions that already existed in the mobile data network.

Some services provided by MIOP@NodeB may use keys for the sake ofsecurity. For example, Transport Layer Security (TLS) may be used tocommunicate between MIOP components, such as between MIOP@NodeB andMIOP@RNC over the overlay network. Internet Protocol Security (IPsec)may also be used to authenticate and encrypt each IP packet of acommunication session. Certain data may need to be protected byencryption. In addition, audit logs may need to be digitally signedbefore transmission. All of these services require keys, andapplications that provide these services need access to one or more keysto perform their services. In the prior art, keys are stored in anon-volatile storage, and are read from the non-volatile storage whenneeded. In a system such as MIOP@NodeB that includes many differentsystems and subsystems, such free and easy access to keys is notdesirable because such a system can be easily hacked. Instead, a moresecure way to store and handle keys is needed. This is the subjectmatter of FIGS. 30-34 and the claims herein.

In the specific implementation shown in FIG. 24, the various componentscommunicate with each other via an Inter-Integrated Circuit (I2C)interface, where the security subsystem 2430 is the master and thesystem controller 2412, service processor 2420, and telco breakoutsystem 2450 are slaves. This allows the security subsystem to strictlycontrol all access to keys by the subsystems.

For the MIOP@NodeB architecture shown in FIG. 24, the security subsystem2430 stores and manages keys in MIOP@NodeB. Referring to FIG. 30, whenMIOP@NodeB is being manufactured, the service processor requestsinitiation of the security subsystem (step 3010). In response, thesecurity subsystem initializes its key storage, arms the tamperdetection mechanism, and sends an acknowledgment of the initializationto the service processor (step 3020). The MIOP@NodeB system is thenrebooted, and the system controller runs a script to generate the neededkeys (step 3030). The system controller writes the keys to the securitysubsystem (step 3040). FIG. 31 shows one suitable command that could beused for the system controller to write keys to the security subsystemin step 3040. This WriteKey command specifies key data, a keyidentifier, and may also specify an optional secret value. The key datais the key that was generated by the system controller. The keyidentifier is a unique identifier used to store and retrieve the key.The optional secret value may be included to further enhance thesecurity of key storage and retrieval by adding another piece ofinformation that must be known by a subsystem that requests access tokeys from the security subsystem. The secret value is used to identifythe requestor of the key, and may be encrypted so potential hackerscannot determine the secret value from a bus probe. The securitysubsystem then writes the keys to its non-volatile key storage (step3050). At this point, the keys are stored in the non-volatile keystorage 2702 in the security subsystem 2430.

When the MIOP@NodeB system 2410 is put into operation in a mobile datanetwork, different subsystems may need keys as described above. Forexample, the system controller 2412 may need keys for TLScommunications, for digitally signing an audit log, and for encryptingdata. The telco breakout system 2450 may need keys for TLScommunications and IPsec communications. Referring to FIG. 32, a method3200 applies to a subsystem that needs a key, such as the systemcontroller 2412 or the telco breakout system 2450. The subsystem thatneeds a key requests the key from the security subsystem with keyvalidation values (step 3210). Referring to FIG. 33, a suitable commandis shown that could be used for the subsystem to receive a key from thesecurity subsystem. The ReadKey command specifies the key identifier andthe optional secret value for retrieving the key. The key identifier andthe optional secret value are the “key validation values” referred to inFIG. 32. The security system validates the key validation values (step3220). If the key validation values are not validated (step 3230=NO), anerror message is returned to the requesting subsystem denying therequested key (step 3240). If the key validation values are validated(step 3230=YES), the security subsystem retrieves the requested key fromthe non-volatile key storage (step 3250), and writes the key to therequesting subsystem (step 3260). At this point the requesting subsystemhas the requested key.

Referring to FIG. 34, a method 3400 shows a specific method that may beused for a subsystem (such as the system controller 2412 or telcobreakout system 2450 shown in FIG. 24) to receive and use a key. Anapplication running on a subsystem requests a key from the subsystem(step 3410). The subsystem then requests the key from the securitysubsystem (step 3420). Method 3200 in FIG. 32 is one suitableimplementation for step 3400 in FIG. 34. Once the subsystem receives thekey, it stores the key in the subsystem's shared memory (step 3430). Weassume for this implementation a shared memory is defined in thesubsystem that is known only to the requesting application and to thesubsystem. The subsystem writes the address of the key in the sharedmemory to the requesting application (step 3440). The requestingapplication then accesses the key in the subsystem's shared memory (step3450). The shared memory provides one more level of protection for thekey, because the key is not given directly to the requestingapplication, but instead the key is stored in the shared memory and theaddress of the key in the shared memory is written to the requestingapplication. Note the address written in step 3440 to the requestingapplication is not the full address, but is some offset from apredefined starting point in the key memory. This prevents a hacker'sapplication from receiving the key data, because if the hacker'sapplication receives the offset of the key in the shared memory but doesnot know the starting location of the shared memory, the hacker'sapplication will still not be able to access the key.

The mobile data network 200 disclosed herein includes MIOP componentsthat provide a variety of different services that are not possible inprior art mobile data network 100. In the most preferred implementation,the MIOP components do not affect voice traffic in the mobile datanetwork. In addition to performing optimizations that will enhanceperformance in the form of improved download speeds, lower latency foraccess, or improved quality of experience in viewing multimedia on themobile data network, the MIOP architecture also provides additionalcapabilities that may produce new revenue-generating activities for thecarrier. For example, analytics may be performed on subscriber sessionsthat allow targeting specific subscribers with additional services fromthe carrier to generate additional revenue. For example, subscriberscongregating for a live music event may be sent promotions on paid formedia related to that event. In another example, subscribers getting offa train may be sent a coupon promoting a particular shuttle company asthey walk up the platform towards the street curb. Also, premium webcontent in the form of video or other multimedia may be served fromlocal storage and the subscriber would pay for the additional contentand quality of service.

While the mobile data network in FIG. 2 and discussed herein is in thecontext of a 3G mobile data network, the disclosure and claims hereinexpressly extend to other networks as well, including Long TermEvolution (LTE) networks, flat RAN networks, and code division multipleaccess (CDMA) networks.

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct. Accordingly, aspects of the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module” or “system.”Furthermore, aspects of the present invention may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language, StreamsProcessing language, or similar programming languages. The program codemay execute entirely on the user's computer, partly on the user'scomputer, as a stand-alone software package, partly on the user'scomputer and partly on a remote computer or entirely on the remotecomputer or server. In the latter scenario, the remote computer may beconnected to the user's computer through any type of network, includinga local area network (LAN) or a wide area network (WAN), or theconnection may be made to an external computer (for example, through theInternet using an Internet Service Provider).

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The methods disclosed herein may be performed as part of providing aweb-based service. Such a service could include, for example, offeringthe method to online users in exchange for payment.

The disclosure and claims are directed to a mobile data network thatincludes service mechanisms and methods for performing services in themobile data network. A first service mechanism in the radio accessnetwork breaks out data coming from a basestation, and performs one ormore mobile network services at the edge of the mobile data networkbased on the broken out data. These services may include caching ofdata, data or video compression techniques, push-based services,charging, application serving, analytics, security, data filtering, andnew revenue-producing services, as well as others. This architectureallows performing new mobile network services at the edge of a mobiledata network within the infrastructure of an existing mobile datanetwork.

One skilled in the art will appreciate that many variations are possiblewithin the scope of the claims. Thus, while the disclosure isparticularly shown and described above, it will be understood by thoseskilled in the art that these and other changes in form and details maybe made therein without departing from the spirit and scope of theclaims.

The invention claimed is:
 1. A method for processing data packets in amobile data network that includes a radio access network coupled to acore network, the method comprising: a plurality of antennas sending andreceiving network messages between user equipment and a plurality ofbasestations in the radio access network, each basestation communicatingwith a corresponding one of the plurality of antennas; providing abreakout component in one of the plurality of basestations, the breakoutcomponent comprising: a system controller that controls function of thebreakout component; a service processor that monitors the breakoutcomponent and provides control functions for the breakout component; asecurity subsystem that includes a key mechanism for storing keys to anon-volatile key storage and retrieving keys from the non-volatile keystorage, wherein the keys are written to the non-volatile key storage inthe security subsystem with a corresponding key identifier and acorresponding secret value during manufacture of the breakout component,the security subsystem comprising a tamper detection mechanism thatdetects tampering of the breakout component, and in response to adetected tampering of the breakout component, erases the keys in thenon-volatile key storage; a telco breakout system that performs:defining an existing first data path in the radio access network fornon-broken out data; defining a second data path for broken out data;identifying first data received from a corresponding basestation as datato be broken out; sending the first data on the second data path;forwarding other data that is not broken out on the first data path; andperforming a plurality of services with respect to internet protocol(IP) data sent to the user equipment in response to an IP data requestin the first data from the user equipment; writing the keys to thenon-volatile key storage in the security subsystem during manufacture ofthe breakout component with each key having a corresponding keyidentifier and a corresponding secret value; when an application runningon a first subsystem system in the breakout component requires access toa key stored in the non-volatile key storage, the application requestingaccess to the key from the first subsystem using the key identifier andsecret value corresponding to the key, and in response to the request bythe application to access the key, the first subsystem retrieving thekey from the security subsystem and writing the key to a shared memoryin the first subsystem; the application accessing the key in the sharedmemory; detecting tampering of the breakout component; and in responseto a detected tampering of the breakout component, erasing the keys inthe non-volatile key storage.
 2. A method for processing data packets ina mobile data network that includes a radio access network coupled to acore network, the method comprising: a plurality of antennas sending andreceiving network messages between user equipment and a plurality ofbasestations in the radio access network, each basestation communicatingwith a corresponding one of the plurality of antennas; a breakoutcomponent in the one of the plurality of basestations that performs:defining an existing first data path in the radio access network fornon-broken out data; defining a second data path for broken out data;identifying first data received from a corresponding basestation as datato be broken out; sending the first data on the second data path;forwarding other data that is not broken out on the first data path; andperforming a first service with respect to internet protocol (IP) datasent to the user equipment in response to an IP data request in thefirst data from the user equipment; storing keys to a non-volatile keystorage and retrieving keys from the non-volatile key storage; and whenan application running on a first subsystem system in the breakoutcomponent requires access to a key stored in the non-volatile keystorage, the application requesting access to the key from the firstsubsystem, and in response to the request by the application to accessthe key, the first subsystem retrieving the key from the securitysubsystem and writing the key to a shared memory in the first subsystem.3. The method of claim 2 further comprising: detecting tampering of thebreakout component; and in response to a detected tampering of thebreakout component, erasing the keys in the non-volatile key storage. 4.The method of claim 2 further comprising writing the keys to thenon-volatile key storage in the security subsystem during manufacture ofthe breakout component.
 5. The method of claim 4 where writing the keysto the non-volatile key storage in the security subsystem compriseswriting each key with a corresponding key identifier.
 6. The method ofclaim 5 wherein writing the keys to the non-volatile key storage in thesecurity subsystem comprises writing each key with a correspondingsecret value.
 7. The method of claim 2 further comprising the firstsubsystem requesting the key from the security subsystem using a keyidentifier corresponding to the key.
 8. The method of claim 7 whereinthe first subsystem requesting the key from the security subsystemfurther comprises requesting the key from the security subsystem using asecret value corresponding to the key.
 9. The method of claim 2 furthercomprising the application accessing the key in the shared memory.